From 0b77cd969c54e4efa6faff507834c183958ec23c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 30 Jun 2014 12:04:03 +1200 Subject: [PATCH] s4-auth: Do not override the NT_STATUS_NOT_IMPLEMENTED error for winbindd This changes the auth code in winbindd to use this as a flag, and to therefore contact the RW DC. Change-Id: If4164d27b57b453b398642fdf7d46d03cd0e65f2 Signed-off-by: Andrew Bartlett Reviewed-by: Nadezhda Ivanova --- auth/common_auth.h | 2 +- source3/auth/auth.c | 7 +++++++ source3/winbindd/winbindd_pam.c | 16 ++++++++++++++-- source4/auth/ntlm/auth.c | 10 +++++++--- 4 files changed, 29 insertions(+), 6 deletions(-) diff --git a/auth/common_auth.h b/auth/common_auth.h index d9bde018bf3..d1a775d431a 100644 --- a/auth/common_auth.h +++ b/auth/common_auth.h @@ -26,7 +26,7 @@ #define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */ #define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* don't check unix account status */ #define USER_INFO_INTERACTIVE_LOGON 0x08 /* Interactive logon */ -#define USER_INFO_LOCAL_SAM_ONLY 0x10 /* Only authenticate against the local SAM */ +#define USER_INFO_LOCAL_SAM_ONLY 0x10 /* Only authenticate against the local SAM, do not map missing passwords to NO_SUCH_USER */ #define USER_INFO_INFO3_AND_NO_AUTHZ 0x20 /* Only fill in server_info->info3 and do not do any authorization steps */ enum auth_password_state { diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 6d1192ededd..00261f725fa 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -232,6 +232,13 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) { DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name)); TALLOC_FREE(tmp_ctx); + if (user_info->flags & USER_INFO_LOCAL_SAM_ONLY) { + /* we don't expose the NT_STATUS_NOT_IMPLEMENTED + * internals, except when the caller is only probing + * one method, as they may do the fallback + */ + nt_status = result; + } continue; } diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 1112b21cbae..dd8f442d3d6 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1501,7 +1501,13 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx, result = winbindd_dual_auth_passdb( mem_ctx, 0, name_domain, name_user, &chal_blob, &lm_resp, &nt_resp, info3); - goto done; + + /* + * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED + */ + if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) { + goto done; + } } /* check authentication loop */ @@ -1888,7 +1894,13 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain, logon_parameters, name_domain, name_user, &chal_blob, &lm_response, &nt_response, info3); - goto process_result; + + /* + * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED + */ + if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) { + goto process_result; + } } result = winbind_samlogon_retry_loop(domain, diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index 6d5747eb783..1d1bc5eb856 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -375,9 +375,13 @@ static void auth_check_password_async_trigger(struct tevent_context *ev, } if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) { - /* don't expose the NT_STATUS_NOT_IMPLEMENTED - internals */ - status = NT_STATUS_NO_SUCH_USER; + if (!(state->user_info->flags & USER_INFO_LOCAL_SAM_ONLY)) { + /* don't expose the NT_STATUS_NOT_IMPLEMENTED + * internals, except when the caller is only probing + * one method, as they may do the fallback + */ + status = NT_STATUS_NO_SUCH_USER; + } } if (tevent_req_nterror(req, status)) {